def test_refresh_grant_failed():
with mock.patch("google.oauth2._client._token_endpoint_request_no_throw"
) as mock_token_request:
mock_token_request.return_value = (False, {"error": "Bad request"})
with pytest.raises(exceptions.RefreshError) as excinfo:
reauth.refresh_grant(
MOCK_REQUEST,
"token_uri",
"refresh_token",
"client_id",
"client_secret",
scopes=["foo", "bar"],
rapt_token="rapt_token",
)
assert excinfo.match(r"Bad request")
mock_token_request.assert_called_with(
MOCK_REQUEST,
"token_uri",
{
"grant_type": "refresh_token",
"client_id": "client_id",
"client_secret": "client_secret",
"refresh_token": "refresh_token",
"scope": "foo bar",
"rapt": "rapt_token",
},
)
def test_refresh_grant_success():
with mock.patch("google.oauth2._client._token_endpoint_request_no_throw"
) as mock_token_request:
mock_token_request.side_effect = [
(False, {
"error": "invalid_grant",
"error_subtype": "rapt_required"
}),
(True, {
"access_token": "access_token"
}),
]
with mock.patch("google.oauth2.reauth.get_rapt_token",
return_value="new_rapt_token"):
assert reauth.refresh_grant(MOCK_REQUEST, "token_uri",
"refresh_token", "client_id",
"client_secret") == (
"access_token",
"refresh_token",
None,
{
"access_token": "access_token"
},
"new_rapt_token",
)
def test_refresh_grant_reauth_refresh_disabled():
with mock.patch("google.oauth2._client._token_endpoint_request_no_throw"
) as mock_token_request:
mock_token_request.side_effect = [
(False, {
"error": "invalid_grant",
"error_subtype": "rapt_required"
}),
(True, {
"access_token": "access_token"
}),
]
with pytest.raises(exceptions.RefreshError) as excinfo:
reauth.refresh_grant(MOCK_REQUEST, "token_uri", "refresh_token",
"client_id", "client_secret")
assert excinfo.match(r"Reauthentication is needed")
def refresh(self, request):
if (
self._refresh_token is None
or self._token_uri is None
or self._client_id is None
or self._client_secret is None
):
raise exceptions.RefreshError(
"The credentials do not contain the necessary fields need to "
"refresh the access token. You must specify refresh_token, "
"token_uri, client_id, and client_secret."
)
scopes = self._scopes if self._scopes is not None else self._default_scopes
(
access_token,
refresh_token,
expiry,
grant_response,
rapt_token,
) = reauth.refresh_grant(
request,
self._token_uri,
self._refresh_token,
self._client_id,
self._client_secret,
scopes=scopes,
rapt_token=self._rapt_token,
)
self.token = access_token
self.expiry = expiry
self._refresh_token = refresh_token
self._id_token = grant_response.get("id_token")
self._rapt_token = rapt_token
if scopes and "scope" in grant_response:
requested_scopes = frozenset(scopes)
granted_scopes = frozenset(grant_response["scope"].split())
scopes_requested_but_not_granted = requested_scopes - granted_scopes
if scopes_requested_but_not_granted:
raise exceptions.RefreshError(
"Not all requested scopes were granted by the "
"authorization server, missing scopes {}.".format(
", ".join(scopes_requested_but_not_granted)
)
)
def refresh(self, request):
scopes = self._scopes if self._scopes is not None else self._default_scopes
# Use refresh handler if available and no refresh token is
# available. This is useful in general when tokens are obtained by calling
# some external process on demand. It is particularly useful for retrieving
# downscoped tokens from a token broker.
if self._refresh_token is None and self.refresh_handler:
token, expiry = self.refresh_handler(request, scopes=scopes)
# Validate returned data.
if not isinstance(token, str):
raise exceptions.RefreshError(
"The refresh_handler returned token is not a string."
)
if not isinstance(expiry, datetime):
raise exceptions.RefreshError(
"The refresh_handler returned expiry is not a datetime object."
)
if _helpers.utcnow() >= expiry - _helpers.CLOCK_SKEW:
raise exceptions.RefreshError(
"The credentials returned by the refresh_handler are "
"already expired."
)
self.token = token
self.expiry = expiry
return
if (
self._refresh_token is None
or self._token_uri is None
or self._client_id is None
or self._client_secret is None
):
raise exceptions.RefreshError(
"The credentials do not contain the necessary fields need to "
"refresh the access token. You must specify refresh_token, "
"token_uri, client_id, and client_secret."
)
(
access_token,
refresh_token,
expiry,
grant_response,
rapt_token,
) = reauth.refresh_grant(
request,
self._token_uri,
self._refresh_token,
self._client_id,
self._client_secret,
scopes=scopes,
rapt_token=self._rapt_token,
)
self.token = access_token
self.expiry = expiry
self._refresh_token = refresh_token
self._id_token = grant_response.get("id_token")
self._rapt_token = rapt_token
if scopes and "scope" in grant_response:
requested_scopes = frozenset(scopes)
granted_scopes = frozenset(grant_response["scope"].split())
scopes_requested_but_not_granted = requested_scopes - granted_scopes
if scopes_requested_but_not_granted:
raise exceptions.RefreshError(
"Not all requested scopes were granted by the "
"authorization server, missing scopes {}.".format(
", ".join(scopes_requested_but_not_granted)
)
)